Last week, from Chicago came a little bit of holiday cheer and good tidings for P.F. Chang’s China Bistro when the District Court dismissed two class action complaints arising out of a data breach.
The Breach: On June 12, 2014, P.F. Chang reported it had a data breach that began in October 2013 involving patrons’ credit and debit card information. The attacks have been attributed to hacking groups in Russia using the Backoff malware – the same malware used in attacks on other major retailers this year. The malware, once installed, can collect credit card “track data” from a point of sale system’s (PoS) memory and return it to a centralized command server controlled by hackers. Reports estimate that using this method the P.F. Chang hackers compromised nearly 7 million cards.
The Patron’s Complaints: Within weeks of P.F. Chang disclosing the breach, two P.F. Chang patrons, John Lewert and Lucas Kosner, filed class action suits (Lewert Complaint, Kosner Complaint). The complaints allege that PF Chang failed to secure and safeguard its customers’ personal financial data, breached an implied contract to protect the data and violated Illinois and other state consumer fraud statutes.
The Motion to Dismiss: In response to the complaints, P.F. Chang moved to dismiss on grounds that plaintiffs’ implied contract and consumer fraud claims were not viable as a matter of law, and more importantly, plaintiffs have suffered no damage.
PF Chang’s Holiday Cheer: After briefing and a hearing, the Court’s entered an Order in P.F. Chang’s favor holding that plaintiffs suffered no damage and thus lacked standing. The court in dismissing plaintiffs’ complaints rejected their five categories of alleged harm:
- Overpayment: Plaintiffs claimed they overpaid for their food with the implicit understanding that their payment covered the costs for protection of their personally identifiable information (PII). The Court held that plaintiffs did not plead P.F. Chang charged a higher price when paying with credit or that plaintiffs expected additional value when paying with credit.
- Fraudulent Charges: Plaintiffs claimed they were damaged by fraudulent charges. The Court found plaintiff Lewert did not allege fraudulent charges, and although plaintiff Kosner had fraudulent activity, it was merely in the form of attempted or declined charges and there was no allegation that activity was tied to the breach. The Court further noted Kosner did not allege any monetary damages in money taken or fees.
- Opportunity Costs: Kosner claimed he was without a debit card for several days after cancelling the card with the potentially stolen information, which caused damaged in his inability to accrue rewards points while waiting for a replacement card. The Court found Kosner failed to allege he would have used the card to accrue points during that period and held that simply being without a debit card for several days is not a cognizable injury.
- Identity Theft: Plaintiffs claimed injury in the increased risk of identity theft. The Court found there were no allegations that any actual identity theft occurred and held that increased risk of identity theft and speculation of future harm do not constitute actual injury.
- Mitigation of Damages: Plaintiffs claimed that expenses incurred to mitigate risk of identity theft qualify as injuries. The court rejected plaintiffs’ claims noting that plaintiffs cannot manufacture standing by incurring costs in anticipation of non-imminent harm. The court noted Kosner had already replaced his card and there were no allegations that any theft occurred.
The court dismissed Lewert’s and Kosner’s cases for lack of standing last Wednesday. Lewert and Kosner filed an appeal to the Seventh Circuit two days later. In the meantime, a related action by Travelers Indemnity Company remains pending against P.F. Chang in Connecticut. In that action Travelers seeks declaratory relief that it is not obligated to defend or indemnify P.F. Chang under a Commercial General Liability insurance policy.